Two-factor authentication with Joomla and Yubikey

Online security, and in particular how to create strong passwords, has been discussed a lot lately. Many users create weak passwords in their systems, which is one factor in letting hackers in. As an added security measure, online service providers offer two-factor authentication.

What this means is that you have a username, a password and a one-time password that is generated by a gadget you control. This can be a dedicated gadget (like the ones many banks issue) or it can be an app on your smartphone (like Google Authenticator). These solutions normally give you a 6-digit one-time code that you can enter into the system.

There are also USB solutions that let you put the device into the computer, click a button and the device will enter a strong one-time password into the appropriate field on the computer. One of the larger providers of these USB devices are Yubico, with their USB stick Yubikey.

The Yubikey can be used with popular services like LastPass, to add an extra security layer onto your login. Now, we can have the same solution in Joomla.

You can order a Yubikey from Yubico for US$25 - I did and received on in just under a week. It was sent in a normal letter from the company and I could start using it immediately.

Setting up the Yubikey

The Yubikey can be used without any further setup, but you might want to test it on the Yubikey page first. You can also download the Yubikey personalization tool to further configure the device. The key has two configurations avaliable. One is already set up, the other one can be changed with the tool. You can find more about this on the Yubico website. As mentioned, you don't need to do any setup to start using the Yubikey with Joomla.

Two-factor authentication in Joomla 3.2

Joomla 3.2 adds two plugins for using two-factor authentication to your site: Yubikey and Google Authenticator.

To use these plugins, you need to activate them in the Joomla plugin manager. Activate only the ones you plan to use.

I will show you how to set up the Yubikey authenticator plugin. After you have activated the Yubikey plugin, click the plugin name to edit the settings.

On the settings page, you can decide if you want to use the two-factor authentication on the front-end, the back-end or both. What you decide on depends on how you have set up your site and who uses it. If you have some users with content editing access from the front-end only, it might be overkill to have two-factor authentication on the frontend. It might be better to limit the use to those users who have access to the back-end of the site and more vital settings. This, however, depends on your own setup and security considerations.

Save the settings.

Set up users

Now, you need to go into each of the users to set up their Yubikey authentication. You can activate or deactivate the authentication on each user individually. They will need to have one Yubikey each.

To activate the Yubikey, follow the instructions on-screen. Then, save the configuration.

Emergency passwords

After you have saved the configuration with the Yubikey, you will see a series of one-time passwords at the bottom of the screen. Make sure you save these in a safe place, in case you lose your Yubikey. Print them out, save them in a secure application etc.

Now, you can log in to the Joomla administrator (or site) with your username, password and secret key from the Yubikey.

To enter the one-time password (OTP) from the Yubikey, set the cursor in the secret key field and then press the Yubikey hardware button. The OTP will be entered and you will be logged in.

I regularly scan the unanswered questions in the Joomla forums. Many times, the questions posted have to do with how the output of Joomla is presented. This may have to do with the template, but oftentimes it has to do…

Are you lost? Sorry, but the content you requested could not be found. Did you write the correct address? You have a few options now - don't despair: - Use the top menu to navigate my articles- Visit the sitemap…

Sometimes, you might want to create a Joomla page that is not available through a menu. You only want the page to appear when the URL is entered. This might be a 'thank you' page after form submission, a log…

Last week, I did a post on how to add Javascript snippets to Joomla. The way I did this was by adding module positions to the template. In this post, I will delve deeper into how to add module positions…

Even though Joomla is a great platform as it is, there are times when you will have to alter the core files to fit certain needs. For instance, you can't stand how the elements in Joomla content are put together…

Earlier this week, I explained how to add a link to a PDF file to an article by using the Joomla core installation. This time around, I will show you how to accomplish the same using the File Manager plug-in…

Finding a great template for your Joomla site can be a challenge. There are tons of free Joomla templates out there, but to be honest: Most of them are junk. Finding quality free Joomla templates is important to ensure you…

Recent comments

The Joomla!® name is used under a limited license from Open Source Matters in the United States and other countries.joomlablogger.net is not affiliated with or endorsed by the Joomla!® Project or Open Source Matters.The Joomla!® logo is used under a limited license granted by Open Source Matters the trademark holder in the United States and other countries.

Joomlablogger.net is not affiliated with or endorsed by The Joomla! Project™. Use of the Joomla!® name, symbol, logo and related trademarks is permitted under a limited license granted by Open Source Matters, Inc.